Loophole Could Give Android Devs a Private Picture Show

A developer has demonstrated a way for Android apps to swipe the latest photo taken with a user's phone and post it on the Web without getting the user's permission. "For some reason, the Android developers didn't establish permissions for photo access, so if your app has permission to access the Internet, it has access to your photos too," said the Yankee Group's Carl Howe.

Similar to Apple's iOS, Android is vulnerable to apps secretly copying photos, The New York Times has reported.

The publication commissioned Android developer Ralph Gootee to create a test app that masquerades as a simple timer but steals the most recent image on the user's smartphone and posts it on a public photo-sharing site.

Critics said the development further emphasizes the danger of Google's hands-off approach to the Android Market.

"The open nature of Android development is a risk," Patrick Runald, senior manager of security research at Websense, told LinuxInsider.

"Loose restrictions in the Android SDK (software development kit) due to legacy issues let the app created by Gootee snoop on the smartphone's photo library," said Michael Sutton, vice president of security research at Zscaler ThreatLabZ.

How the Rogue App Worked

When installed, the app told the user it wanted to access the Internet.

Once the app was launched and the user set the timer, the app went into the photo library on the user's smartphone, retrieved the most recent image, and posted it on a public photo-sharing site.

The app did not tell the user anything about accessing photos.

"This photo issue is about permissions," Carl Howe, a research vice president at the Yankee Group, told LinuxInsider. "For some reason, the Android developers didn't establish permissions for photo access, so if your app has permission to access the Internet, it has access to your photos too. I think it was just an oversight."

Google did not respond to our request for comment for this story.

What Happened to Bouncer?

In early February, Google revealed a new layer to Android security in the form of Bouncer.

This has apparently been working since 2011. It automatically scans the Android Market for potentially malicious software.

Once an app is uploaded to the market, Bouncer analyzes it for known malware, spyware and Trojans. It also looks for suspicious behaviors and compares the app against previously analyzed apps to detect possible red flags. Google runs every app on its cloud infrastructure and simulates how it will run on an Android device to spot hidden malicious behavior.

Bouncer also analyzes new developer accounts to help keep out devs who have previously created malicious apps.

The ability of an Android app to illicitly access pictures on a user's device doesn't exploit a vulnerability, but is due to loose restrictions in the Android SDK, and it's not clear if Bouncer has been designed to deal with this issue, Zscaler ThreatLabZ's Sutton said.

"This also isn't a situation where a rogue application was spotted in the [Market]," Sutton continued. "Rather, a developer was asked to create a sample application to demonstrate the capabilities. It would not have been submitted to the Android [Market] and would not, therefore, have ever been scanned by Bouncer."

It's not clear whether Bouncer has been designed to detect the kind of behavior the app created for The New York Times demonstrated, Sutton said.

What About iOS?

Earlier this week, news emerged of a loophole in the iOS operating system that would let appdevs access the photos of device owners without their permission.

"The situation with Apple is different [from that with Android]," the Yankee Group's Howe said. On iOS, the apps sought permission for location information. That then gave them access to the photos.

"In many ways, this is like giving your housekeeper the keys to your digital house," Howe remarked. "Most housekeepers are completely trustworthy ... but every now and again a bad actor shows up, it becomes front page news, and people get new locks. But the day after that, everyone still needs their houses cleaned, and the world goes back to the way it was."